How to deploy the Splunk App for Windows Infrastructure
This topic details the deployment procedure for the Splunk App for Windows Infrastructure.
There are several steps to installing the Splunk App for Windows Infrastructure:
- First, you prepare your Active Directory environment so that it generates and formats the data that the Splunk App for Windows Infrastructure needs.
- Next, you set up the central Splunk App for Windows Infrastructure instance.
- Then, you configure the Splunk App for Windows Infrastructure on the central Splunk instance to receive and search the incoming data.
- Then, you install universal forwarders on the Windows servers and Active Directory domain controllers in the environment.
- After that, you configure the universal forwarders with add-ons that come with the Splunk App for Windows Infrastructure installation package.
- Then, you confirm that the universal forwarders are sending data to the central Splunk instance.
- Finally, you generate lookup tables for the app to use.
To deploy the Splunk App for Windows Infrastructure into your environment, perform the following procedure:
Step 1. Prepare your Active Directory environment
Before you can use the Active Directory modules in the Splunk App for Windows Infrastructure, you must prepare your AD environment to generate the required data for the app. If you do not perform this step, then no Active Directory data gets collected, and the app does not display Active Directory data.
Important: You must have administrator-level privileges to complete the following steps. If you do not have these credentials, then find someone in your organization who does, as you cannot finish the procedure without this access.
To prepare your AD environment for the Splunk App for Windows Infrastructure:
1. Verify that all of the domain controllers and DNS servers in your environment have the latest service packs and hot fixes installed.
|If your AD computer runs this version of Windows:||then confirm that it has (at a minimum):|
|Windows Server 2003
Windows Server 2003 R2
|* All service packs|
* The Windows Management Framework Core Package (KB 968930)
* PowerShell v2.0 installed and enabled
* The Administrative Templates for Microsoft PowerShell
|Windows Server 2008 R2 Core||* All service packs|
* PowerShell v2.0 installed and enabled (Learn how to enable PowerShell)
|Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
|* All service packs|
Important: The Splunk App for Windows Infrastructure does not support computers that run Windows Server 2008 Core because that version of Windows does not support PowerShell. You must upgrade or reinstall those systems with a version of Windows that the app supports. Review the platform and hardware requirements for additional information.
2. Confirm that PowerShell v2.0 or later is installed. Versions of PowerShell earlier than v2.0 are not compatible with the Splunk App for Windows Infrastructure.
3. Set your AD environment's forest and domain functional levels to "Windows Server 2003" or higher.
- For additional information on forest and domain functional levels, review "What are Active Directory functional levels?" (http://technet.microsoft.com/en-us/library/cc787290%28v=ws.10%29.aspx) on MS TechNet.
4. Enable Security event log auditing and local PowerShell script execution on every domain controller in your AD environment.
Caution: When you enable Security event log auditing on your domain controllers, the DCs generate a large number of events. These events significantly impact indexing volume and might cause indexing license violations. You might also see decreased performance on your domain controllers. Read this topic carefully to understand what events the Splunk App for Windows Infrastructure must collect to function properly and which events you can choose not to include.
5. If you want detailed DNS server statistics, enable debug logging on your DNS servers by following the instructions at "Select and enable debug logging options on the DNS server" (http://technet.microsoft.com/en-us/library/cc759581%28v=ws.10%29.aspx) on MS TechNet.
Caution: When you enable debug logging on your DNS servers, you must consider the following caveats:
- If you enable DNS server debug logging, individual DNS server performance will decrease significantly.
- Debug logging generates significant amounts of data that might exhaust disk space on your DNS servers, which can potentially cause downtime. You must watch and rotate your DNS server logs to prevent disk capacity issues from occurring.
- Debug logging also greatly increases the overall amount of data indexed by the Splunk App for Windows Infrastructure. Ensure that you have a Splunk license that can accommodate the additional indexing volume.
6. Prepare your Active Directory for installation of the universal forwarder(s) on DCs and DNS servers as a domain user.
Important: When installing a universal forwarder on an Active Directory domain controller, you must specify the "Local System" user.
Step 2. Install the central Splunk App for Windows Infrastructure instance
Configure the central Splunk Enterprise instance to receive the incoming data and host the app.
|While you can deploy the central Splunk App for Windows Infrastructure instance onto a single server, these instructions assume that you have at least two servers available.
If you want to install the instance on one server, follow the instructions below, but perform all actions on the single server, instead of using two servers.
Depending on the size of your Windows network, you might need significantly more servers to host the central Splunk App for Windows Infrastructure instance.
1. Install two full instances of Splunk Enterprise, or designate an existing installation of two Splunk Enterprise servers as your "central" Splunk instance.
2. Configure one of the servers in the central Splunk instance to be a receiving indexer.
Important: Write down the host name or IP address and port that you use when you configure the receiving indexer as you need this information later in the deployment process.
3. Configure the other server to be a search head.
4. Configure the search head to search across the indexer for data.
Step 3. Install and configure the Splunk App for Windows Infrastructure on the central Splunk instance
1. Download the Splunk App for Windows Infrastructure installation package and place it into an accessible location.
2. Download the Supporting Add-on for Active Directory (also known as SA-ldapsearch) and place it into the same location.
3. Install the Splunk App for Windows Infrastructure onto all search heads in the central Splunk instance.
4. Install the Splunk Supporting Add-on for Active Directory onto all servers in the central Splunk instance.
5. Restart Splunk Enterprise on all servers in the central Splunk instance to ensure that all changes take effect.
Step 4. Install and configure universal forwarders on your Windows and Active Directory servers
1. Install a universal forwarder on each Windows server in your environment.
2. Install a universal forwarder onto Active Directory domain controllers.
Important: When installing the universal forwarders:
- Choose the "Local System" user when asked which user to run the forwarder as.
- Do not enable any of the inputs when installing the universal forwarder.
- When the installer asks you to specify the hostname or IP address for the receiving indexer, use the information that you wrote down in "Install the central Splunk App for Windows Infrastructure instance" above.
- If you use a deployment tool such as Microsoft System Center or Group Policy to install the universal forwarder, you must use the command-line installation instructions and installation flags, and supply these flags to the approprate areas of System Center or Group Policy. Read "Deploy a Windows universal forwarder via the command line" in the core Splunk Enterprise documentation for installation flags and additional information.
- If you have a Splunk Enterprise deployment server in your environment, then you can configure the universal forwarders you install as deployment clients. You can then use the deployment server to deploy apps and configurations to the forwarders.
Step 5. Install and configure additional add-ons for the Splunk App for Windows Infrastructure
After you have installed universal forwarders on each of the Windows servers and Active Directory domain controllers in your deployment, you must configure and install additional add-ons for the Splunk App for Windows Infrastructure.
Where you deploy the additional add-ons for the Splunk App for Windows Infrastructure depends on the server role(s) that each Windows server in your environment holds.
1. If you have not already, download the Splunk App for Windows Infrastructure installation package and place it in an easily accessible location.
2. Download the Splunk Add-on for Windows and place it in the same location.
3. Download the Splunk Add-on for PowerShell and place it in the same location.
4. Extract the Splunk App for Windows Infrastructure installation package.
5. Locate the Splunk Add-ons for Active Directory inside the package, at
splunk_app_windows_infrastructure\appserver\addons. Move or copy all of these add-ons to the location where you downloaded all of the other add-ons.
6. Configure the add-ons to enable inputs.
Important: The Splunk Add-on for Windows requires configuring to enable its inputs.
7. Install or deploy the add-on(s) into the universal forwarders on each Windows server according to its role in your Windows deployment.
Step 6. Confirm that you see data coming in
Once you have configured the add-ons on the universal forwarders in your environment, you should see forwarded data coming into the indexer on the central Splunk App for Windows Infrastructure instance. You can log into the indexer and confirm that you see Windows and Active Directory data coming from the hosts on which you installed universal forwarders.
If you do not see a certain host, confirm:
- That the host is connected to the network and has IP connectivity to the receiving indexer.
- That a firewall is not blocking traffic.
- That the universal forwarder has been configured to send data to the correct receiving host and port.
If you do not see any data, confirm:
- That the receiving indexer is connected to the network.
- That Splunk is running on the receiving indexer.
- That the receiving indexer has been configured to receive forwarded data.
- That a firewall is not blocking traffic.
Step 7. Generate lookup tables
After you have installed the app and confirmed that you are receiving Windows data from the universal forwarders into your central Splunk instance, you must then generate the lookup tables that the Splunk App for Windows Infrastructure uses.
Important: You must wait about 10 to 15 minutes after you have confirmed that the central Splunk instance correctly indexes Windows and Active Directory data before you attempt to generate lookups.
To generate the lookups:
1. Log into the indexer of your central Splunk instance.
2. Once logged in, open the Splunk App for Windows Infrastructure.
3. Generate the lookups shown below by selecting the appropriate menu item under Searches & Reports > Lookup Builder:
- Lookup - Database Information
- Lookup - Host Information
- Lookup - Performance Monitoring
Note: You only need to run each lookup once.
If your Splunk deployment is large or complex, you might want to engage a member of the Splunk Professional Services team to assist you in deploying the Splunk App for Windows Infrastructure.
What a Splunk App for Windows Infrastructure deployment looks like
Install a universal forwarder on each Windows server
This documentation applies to the following versions of Splunk® App for Windows Infrastructure: 1.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4